Higher ed CISOs try to enforce security policies on campus

Share

BALTIMORE, MARYLAND – Sometimes, Internet searches by college faculty – even when it’s for academic purposes – could threaten the network of the entire institution.

Robert Turner, chief information security officer at University of Wisconsin–Madison, found out the hard way when he and his team found that faculty had downloaded large volumes of inappropriate material – including pornography from websites in other countries – through the university’s network.

It turned out that the professors and researchers had been collecting samples for a study about the correlation between pornography and rape rates. Though the download, in this case, was legitimate, the potential security risks and legal issues made the IT team very nervous.

“Here is how you do it next time: Tell us you’re going to do that [beforehand],” Turner recalled advising one of the researchers.

Turner was among more than 10 university security officers gathered Tuesday for the first annual Cyber Security for Higher Education conference hosted by the International Quality & Productivity Center. During the intimate meeting, experts spoke to EdScoop about how to enforce the policies that prevent cyber attacks, data breaches and violations of privacy.

Many security chiefs agreed that written university regulations can hardly ensure people will follow them, an issue when it comes to enforcing cybersecurity policies. Regulations like the federal Family Educational Rights and Privacy Act tell people what to do, but aren’t clear enough about the consequences if people violate the rules, several IT leaders said.

“FERPA is there, but it doesn’t have real teeth,” said Joseph Lee, chief information security officer at Georgetown University. “I mean, no one has ever been sued, for example, for not following FERPA.”

Congress is seeking to overhaul FERPA, and lawmakers heard from parents, advocates and state tech leaders this month about how to adjust the federal law to accommodate new technologies in schools while still preserving students’ privacy.

Some violations could be unintentional. For example, instructors might ask students to post photos of themselves online, so that the professors know what their students look like. It seems like an ordinary request, but it increases the chance for others to identify the students, and could be a concern for those who don’t want to be recognized.

“That’s an example of an unintentional breach,” said Matt Morton, chief information security officer of the University of Nebraska at Omaha. “It’s still under discussion in many states as to whether the picture is shareable.”

Turner said he is building a risk management framework for his Wisconsin school. In his proposal, he is looking for a balance between giving researchers autonomy to conduct their studies, and keeping them abreast of safe Internet protocols.

“I don’t write policies I know people won’t follow,” he said.

But Morton said strong policies should go beyond the necessary protocols to ensure that everyone on campus, from leadership to students, adjust their online decisions and behaviors.

“You have to set the policy as an aspiration, even though you know you’re not going to reach 100 percent compliance with that,” Morton said. “But if you don’t try, then you’re not going to get anywhere.”